How YouTubers get Hacked: Redline Stealer
Vložit
- čas přidán 21. 08. 2024
- A lot of large CZcams channels were hacked recently to post crypto scams. They tried to hack me too with a 715 MB Redline Stealer. Here's the full story.
Video sponsor: Intezer. Check out analyze.inteze...
--
Buy the best antivirus: thepcsecurityc...
Contact us for an cybersecurity audit/test of your business: tpsc.tech/
Sponsor: thepcsecurityc...
"Malware authors *hate* this secret trick!"
Hilarious! Thank you for taking the time to help regular users, Leo.
lol
nah we don't hate these "sectret tricks" since we can hide absolutely everything and bypass every single antivirus
they hate a rescue disc more
@@RubenDeJong1603 we get to keep your informations '-'
@@stylite1637 every single antivirus ? geez lol. wait.. are you a malware author lol
Imagine trying to hack someone named the pc security channel
and get exposed step by step
Leo: It sounded cool.
its most likely a bot programmed to send malware to youtubers mail
@@Nogardtist yeah, they could easily compile a script that crawls CZcams for channels over certain subscriber threshold, and set up a pipeline that compiles the malware and emails with the channel name and send them to the channel's email. Perhaps the initial mail and the reply sent by the channel was the trigger that fires up the pipeline. Obviously they want to minimize the number of specimens sent out instead of spamming them all over the place and risk them being automatically flagged.
@@kyouhyung wont making verified email by the brand or company with a mark or something to easier filter out these parasites
then lets say a newcomer starts their channel most tutorials or guides are either wasting time or useless they dont give all the problems and tips a creator might face like quality of the videos why algorithm hates small creators ironically they say most updates are for smoll creators safety there bigger problems then the dislike ratio and its comment bots and fake sponsors then what google themselves provide with search results but asking google or youtube directly most likely gonna feel like talking to the void or a bot imagine if in youtube studio there was an option to directly talk them instead relaying on other sites for a chance to get a respond
A "contract" that has a size of 750MB should always be a red flag.
Regarding the behavioral protection, we have this at work, I'm a developer and it blocks a lot of completely legit tools.
They hope you don't notice because it's packed so small.
Talking about a 700mb "word document", is it a good idea to just make a text file just 500mb and just shatters anyone with potato pc when opening it, aka spam E since why not, notepad did crash me at 250mb since my pc isn't the greatest as well, but it's funny and i did ruin my friend's pc, don't worry nothing is damaged the cpu is just broken. This reply is really long and probably as long as 1 paragraph of a wikipedia page
Did my CZcams just crashed?
@@_auser_ at least ur reply isnt tons of E's
@@HuntingKingYT but its as big as one wikipedia paragraph
The cheeky scammers be like:
"Hey we found this *PC SECURITY CHANNEL* let's try to fish him in!"
I would like to have the boldness of these people at least once in my life!
@@synthlord6575 how is it cringe
This thread is cringe.
@@synthlord6575 I’m confused how you’re confused
Lmao
On the other hand, they say a professional cook does not really likes to cook at home on his spare night, you sometimes hear. Or in the case of Seinfeld when he had girlfriends that was a masseuse, but she refused to give him a neck massage. Meanwhile Kramer did get one I believe... czcams.com/video/zLo3kbggWZs/video.html
I did not know about the large file trick to evade detection! Now I understand the real reason to be wary of large downloaded/unknown files.
You mean those GB's of torrent download files? This is why torrent is dead.
@@dp6123 Lol
@@dp6123 Lol
@@dp6123 Lol
@@dp6123 Lol
If your sponsor can analyze compressed files, I suggest they change their "file too big" dialog to tell the user to try compressing the file and resubmitting.
i actually got hacked few days, ago and my mc afe subscription got over, and i was pretty much downloading a filmora file, and dont know what had happend, my yt an all other accs got data breached online :/, i deleted that file, but im still scared
@@Steveson lol who told download cracked
@@Steveson Immediately change your google and other necessary passwords like Facebook, netbanking passwords, etc
First rule of security: Dont open EXE files unless they are from a trusted source. If something feels strange or wrong, its usally something bad. Say no thanks and cancel/X out.
or/and DELETE! 🗑
@@RubenDeJong1603 My first rule of security is: unless it came with Windows, don't trust it! And even if it did, still don't!!
First rule of security: don't store your precious data on Windows
first rule of security: just don't
First rule of security: n o
Another short trick you can use without hex editor, is to compress the exe by using Windows's built in NTFS compression. If it's full of zeros, the file size should show Size 700MB or whatever, and then Size on Disk will be something around 100 KB. I'm quite sure that the zip file in that download is also a few 100 KB as well due to compression, and 4 files more than 700 MB each in a zip which is barely a few KB is also a dead giveaway of something being very wrong. Nice video as always :D
Great tip! Thank you!
The ZIP-Archive he downloaded was shown as only ~400 kb, which was a pretty clear indicator the the file was bloated w/o any other tricks.
@@themasterofdisastr1226 yo bro
VirusTotal still wouldn't take the file in regardless of compression tactics.
Besides that, the original zipped files are still encrypted.
The point isn’t to get the antivirus to find it. The point is to be able to see its a bloated file which is a dead giveaway of a virus program. An executable shouldn’t compress very much as it should have lots of important, non-compressing calls
The part where he got rid of the blank spaces which were only there to fill space to make the malware undetectable was mind blowing!
Would be interesting to see what happens when you actually execute it with different AVs (especially windows defender :) )
Try it and tell us! 😉
Windows defender is shit
You sadly are fucked if you solely rely on anything microsoft makes XD
@@whocares7078 cringe
Happend to me you don't want that 😅
@@whocares7078 windows defender is honestly underrated because most people think that Microsoft software is pure trash.
I fell for one of these once, kind of sad this has become such a popular thing now..
did you actually run the file or no
@@jello3064 yes, but it wasn't a contract like here, but instead a game demo
@@Aci_yt Any game that comes with no textures are dll files are fake because then it couldn't display anything
@@pengwino828 it supposedly was the installer
@@Aci_yt wow, they really thought that far ahead. At least you got your channel back.
Lots of facecam lately interesting change
I learned more about malware analysis in this video than the entire module on it in my masters in cybersecurity
Is it really that easy to study cyber security?
That's an interesting trick you showed there! I've seen people embedding malware in bmp images and share a screensaver which will load executable from this bmp image, but this just blasting the size with zeroes is totally new. A question though: when you just select the zeroes and simply delete them, wouldn't that render the PE file invalid? Won't moving the offsets cause issues with the loader?
I'm not qualified to answer, but guess would be because it's essentially dead space, it shouldn't effect the program, which is why he just did a general delete of the zeros and didn't fine time it
@@randomdude12370 It must be for the same reason they could add all the zeros just in that place, the program is behaving the same anyway
The zeros were after the main PE sections, in between let's say the .rsrc section and the overlay(the zeros could also be in the overlay or in their own custom named section) and they don't affect any offsets as no code or data points to that zero section, and the overlay is mostly for display(most RedLine payloads use corrupted certificates from big companies to try to further deceive the user into executing the payload). Any other offset used by the program's internals is calculated at runtime with regard to the image base and different srctions in the PE.
Didn't expect your face reveal
I love how calm you are while dealing with malware
For real if I get a virus I would probably breakdown or something idk I have bad anxiety lol
He was probably in a VM
@@kamilo1175 yeah most likely pretty much every person that deals with stuff uses vm
@@kamilo1175 Indeed, or he's just experienced, or even both.
@@orbitalonyx I trust people and download files all the time, and that’s why I get nervous even when I know someone is on a VM. I do creative projects with people, so you just have to hope no one gets hacked or sends anything malicious 🙃
I'm curious, since when did Antivirus decide not to scan a file based on size? I remember scanners taking HOURS to scan. Why did they shuffle to "oh 10 minute scans are superior, even if we miss the actual virus"?
I was wondering that too
Wow, this is the oldest trick in the book and it still work.... Changing the icon of an exe to something like Word or folder. Windows hiding the known file extension by default doesn't going to help either. And now we are starting to have people that doesn't even know what is "drive" and "file" is...... things are about to get worst from here haha
Zoomers are the new Boomers. We gotta help them so they have basic tech skills and aren't vulnerable.
thats implying the mid 2000's weren't god awful haha
limewire ruined so many pcs
Adding to the IT illiteracy comes, that people just want to monetize themselves on YT without merit or talent on "character" alone. And who can blame them, once the Pauls succeeded with this crap. Be vigilant, but if you get screwed over, maybe it's time for a real job.
Gotta have to admit, that file size trick was quite clever.
The ".scr" file, like in 1:53, was used to hack the crypto assets of streamers here in the Philippines.
I always knew something was off with that Pipe Dream screensaver....
That's a screensaver file...
@@nevergonnagiveyouup4189 I didnt know that, I thought they were limited to animations
Oh gosh does that username have RTL in it or something?
Edit: it only appears weird on mobile
@@AlfiesFuntime why did you write backwards
You can take this to a Linux machine and run an audit on the EXE file itself and examine its contents all just the same with a disassembler tool for reading Windows EXE files. It be a safer environment for scanning them too, or inside of a VM works also.
Also I think its foolish for AVs to have a file size limit for scanning files if you can just bloat the file with zeros to bypass scanning checks.
They do it because scanning huge data takes longer and it's vulnerable to zip bombs or people sending huge packets to cause a server outage
its a pain in the ass to develop a code to scan large files, the thing is even malware coders evade bloating with gibberish data since they are heavier to transport, you can easily write a way less file to transport easy and do what it has to do being fast and delete itself.
most have such limit but it can be disabled actually that setup is for low performance hardware imagine if you would remove the limmit a pc with a 1 5 ghz and 4 ram would become unresponsive freze on high end flagships you will have diffrent features than on low resources so most infected machines are those that are not that performant, on high end hardware you will have hardware av wich will bloch the execution if the code is not a standard behavior rootkit won't even run at boot times due to secure boot deep is als there and on some motherboards they have also a special procesor for pre processing the code and only valide code is passed to main cpu such configuration is bulet prof
Thanks for this video. I was wondering HOW ON EARTH these ppl got around 2FA recently. Now I know. Great info.
And knowing is half the battle.
You barely explained why no one would notice that the docx file is an exe file, especially if it show file extinctions is enabled(hate Microsoft for disabling this by default). The attackers did not even bother adding docx to trick some users.
It's part Microsoft - part stupid people renaming the file _including_ the extension and complaining why Office won't load their files.
Have you just started to make these types of videos?
I don't know why but it feels like you have more credibility because of them. I've watched some of your Antivirus A vs Antivirus B type videos in the past and always wondered if it was unbiased or paid by a company content.
Hackers tries to hack The PC Security Channel
Random hacker: "Why do i hear boss music?"
Thanks for the post Leo.First Time giving a post on your channel.One of the best Security Channels
That's actually pretty genius, jamming a bunch of zeroes in the middle.
I thought a famous CZcamsr would comment here and say "Hey that's what I did!"
that's why you need second opinion scans like Hitman Pro Alert
Yes please more of these, even if I'm quite techy it's super good to have these types of videos to send to others! :)
Agree! More!
This is Cyber Security class in a CZcams video
best antivirus is yourself...
the black kitty cat sleeping on the bed life's tuff .
if the security systems we use are limited in size of file it scans, then why don't they break down the file into smaller chunks, to be scanned. Surely they could design something that deletes all the repetitive zeros, and then put files back together, before scanning. (similar to how you manually did it)
I'm not a programmer, but that seems like the way to eliminate scammers like this.
A single repeatitive 0s is easy but once it gets to repeatitve sequence that just impossible to split and detect easily
@@tronghungnguyen8716 to my thinking, not really;
break it into equal parts, doesn't matter where the zeros are, then look for all zeros in each part. When done, put it back together and run the scan. Just like he did manually.
@@Emilia-fl5ii I'm not a programmer, but I still say you can break any file apart anywhere you like, scan the smaller files, and then put them back together again. If he could do it manually, it can be done in whatever software code they used, and look for patterns. Whether or not they used 0's or "junk" might make it harder to figure out the malicious intent, it doesn't stop the ability to do the scan; he said file size is preventing the scan, so that's where I said it should start, rather than leaving users totally exposed. As with most things new, people lose sight that you can't take step 2 until you take step 1.
@@Emilia-fl5ii Well, look back then; the original poster broke the file apart, eliminated the 0's, put it back together, ran the virus scan on smaller file, all that manually.
I read what you say, and see nothing you say that overrides what he did manually, meaning it should be possible to replicate his manual process. I wish he would come back in to the thread and get in this discussion with you. As I said, I'm not a programmer. However, on my job, I was usually the designated spec writer, working with programmers, who automated our manual reports. We never found anything that couldn't be done with software. Took time occasionally to get the right software, but nothing stopped us.
I think this situation is a hole not being fixed. It's fixable, somehow.
Address further questions to the original poster please, not me. You two can talk it out, I'll read your discussion with him.
@@Emilia-fl5ii Again, I said talk the technicals with the original poster, not directly to me.
But from my point of view, if someone can do it manually, then it's do-able with programming. At least it would make it more difficult for the hacker to do mischief. Enough said.
Looking at the name of the virus at 6:37 this is a Chinese god’s name, “yanluowang” 閻羅王, a god that manages afterlife world for mortals ( sort of similar to Hades)
man, all that blank space is really taking up a lot of space. it's really important though...
If only there was some sort of checkbox you had to click on files before they are allowed to execute and otherwise warn you that they don't have permissions to be executed so you can't mistake an executable with a word document icon for a word document 😔
Thumbnail:how youtubers get hacked
Me:Oh cool A new tutorial XD
this is your best video, actually showing us the forensics of a malware. WOW
Wow! Great video! My channel was recently hacked because I opened an attachment similar to this one. I posted a video a few days ago explaining how it happened and how I was able to get my Gmail account back the same day. Crazy stuff! I’m way more cautious now.
Me seeing Mrwhosetheboss channel in the thumbnail: "Wait what He's Channel got hacked!!!!!???" After all UK's Largest Tech youtuber
I mean.. he got hacked a few years ago-
but I'm shocked that he is on the thumbnail on this vid...
So this is what security research is. I like this alot
Based on the train reflection in your mirror you live in Boston, or the UK also has some silver trains with 2 windows per car.
Thanks for the info digital science guy on the PC Security Channel
(sorry, don't know your name or nickname)
Have fun and be safe.
What antivirus do you personally use? Of course I've seen your tier list but I'm super curious to know what you use on your machine
Linux probably
@@elevul huh???????????
i wonder how the executable would perform on virustotal after you removed the unnecessary parts.
i just tried to download the file myself, but theyve changed the 7zip password. No chance to extrakt the file. Maybe ill try it with bruteforce attack.
Hi can you tell me how you downloaded the file ?????
I want to put it through virus total
@@paullombardi9506 just copy the link seen in the Video
@@kastrodyll1724 how was your test? Is it detected?
this is like the lockpicking lawyer getting a package of a lock that says "unpickable".
I recently got hit in a very strange way. They changed my channel logo, they changed my channel name, they private it a bunch of random videos, not everything just a bunch of randomly picked ones, and then they started live streaming a crypto scam
Strange thing though is my two-factor authentication was never triggered, and I looked at logged in devices on my Google account, and the only ones that were logged in were my personal computer, my work computer, and my cell phone. So I couldn't kick them off that way either. I have no idea how they got in. Hadn't recently downloaded anything that I would think would be malicious.
@Appu26j wouldn't some sort of cookie stealer need to be used though? Work computer was a Mac, windows computer that was powered off since I wasn't home and an Android phone not rooted or anything sideloaded/modded apps
@Appu26j at the time it occurred, the live stream they were doing I searched the title of and noticed there were about a dozen other CZcams channels streaming the same thing. It was some Bitcoin scam.
I could understand exploiting live streaming with something like somehow guessing the stream key, but it's so long and convoluted I highly doubt that. Also if you guess the stream key that doesn't give you access to change things like channel name private videos and change channel layout
I had no idea about the size limit. thanks for the heads up.
Thanks for the video, it really helps with malware analysis for beginners
Straight away subscribed. This is the first video i watched from you and loved it.
Damn that's the mother of all NOP slides
Given the fact that so many people who are on YT are also not familiar with TECH and its related issues. hackers even can get a grip off experienced users
Good to know. I once programmed a logger for my pc when people who used to borrow my pc and I made it absolutely clear that I had installed a logger when they wanted to borrow my pc. After that no one borrowed my pc.
lol
are you using a filter or is your skin just so smooth?
When CZcamsrs got hacked. The Hacker Takes Control of their CZcams Channel and Stream Cryptocurrency Scams. So that's why youtubers are getting really hacked. thanks for this very informative video.
Im honestly just a hacker for fun (i love finding the security breaches in computers and whatnot, its like an advanced puzzle that always changes) and these videos not only help my skills but they also help me patch up and make my systems better
@@Kanyesouth436 I doubt he hacks other peoples systems, this is actually pretty common. Pretty sure they're called white-hat hackers. But if he actually does hack other people, he can gtfo of civilization.
@americanketchup4340 don't bother, these guys are idiots. It's not worth your time trying to explain it
@americanketchup4340 ye
I GOT IT, I GOT EXACTLY THIS! Do I need to worry if I didn’t open it? I just unzipped and when I saw the file was 750MB i just WIPED it out of existence
You're fine as long as you didn't run the file.
commenting to boost this video into peoples recommendations.
Malwarebytes can scan big files if you right click on them and tell it to
I got 2 of these mails the previous month. And one today. Was wondering what was happening and then this video popped up in my recommendations.Thanks man, really appreciate it.
idk why but your mouse movement is satisfying
I clicked on a .scr file that came via a fake sponsorship and it seems to be exactly what you are explaining. Do you have any resources or videos you've made about how to make sure you've removed all of the viruses?
Imagine if PewDiePie or MrBeast commented and said "Good Tutorial, worked."
I suffered from the exact same malware tho instead of exe, the attacker had used chrome extension that had great reputation, and reviews so were hard to determine if it was malicious or not. Oddly enough after 2 months it had remotely installed redline stealer along with some other nasties and later on kicked off the chrome store.
Wow... From a Chrome Extension that seemed legitimate and good reviews..
I'm often suspicious of Extensions for browsers, Google Office and MS Office products..
@@joemama3372 Should also be suspicious about PlayStore apps as Google doesn't do good job when it comes to auditing.
Which is why I trust only extensions that have been available for 2+ years, and have plenty of downloads and plenty of reviews. Very easy to get a few hundred fake reviews.
Time to do something about this 650Mb limit of virus scanners.
Is this threat part of your test suite? If not, do you plan to add it? It would be nice to know how well the big name security products handle it. Would any antivirus software have protected those CZcamsrs?
6:53 use behavioral detection and response... If you want the best you can speak to me.
Great explanation, thanks. Given the size limitation of virus checkers, how can you check those big applications that you download from genuine companies, just in case they’ve been compromised without knowing?
It would’ve been great if you could have executed the file anyway and showed how the virus checker would’ve handled it.
Pup finders tend to do a better job at this. Most antivirus’s now are just bloatware sadly.
Thing is though redline is really rare to get a hold of
750MB contract?
Nope, too much fine print!
You explained it well.
So I have a question. Avast or Malware Bytes? I prefer Malware Bytes.
I'm not saying I'm immune, but as a Linux user, the chances of me being infected are pretty minimal. Despite this, it is good practice to play it safe and exercise common sense.
That's very interesting that they stuffed the file with 0's to inflate the size! A bit clever, but not clever enough to trick you! Also, cool to see you also using a Shure MV7 since I got the silver one on Black Friday!
I will never do it.
guys!!!
i found muta's brother.
This is one of the best CZcams videos that I've seen in a long time. Thanks for sharing this.
I can see this absurdly simple tactic of distributing large malware files becoming a "thing".
Worries..zero! Pimples..Zero..Malware? Kaspersky!
Saw mrwhosetheboss in the thumbnail and clicked
Can you get the malware from watching CZcams video’s?
Real VS Fake NordVPN Sponsorship mail
Poor TimeDeo who got hacked
o7
Can you tech us the best practice on how to make a virtual window to test virus and malware.
would you recommend the google usb stick for access and security?
any unknown email in my inbox.... "STRAIGHT TO BIN"
And the ZIP is encryped so AV software would have trobule analyzing it...
Thank you for sharing! Quick question... How would they bypass the 2-factor authentication? Even if they force you to log in again, steal passwords and the 2-factor value, when they go and use those credentials they will need to type another 2-factor value, right? That they don't have... 🤔
u log in and it makes a cookie and when u exploit a cookie by injecting it (if u really wanna know and want an example id look up how to log into discord using discord token its the exact same) because when u inject a cookie the device/account thinks: "oh hey i know this one he doesnt need to do 2FA cuz i trust him :D"
but that trust wouldn't extend to sensitive operations like password changes? So how would they steal the account/lock you out?
@@flyhtz Aren't cookies linked to specific devices? If not, yes, that's quite a big security hole!
@@nickwoodward819 no it would not but as soon as they have the cookie they can change the password and email
@@javiTests they are not they are linked to browsers so u can inject them
They hacked a gaming channel I know the guy he had over 1million subs! And it went to this crypto videos.. He was able to get it back like 2 weeks later tho. But that sucks!
thanks for the info
Antivirus programs should have options to prioritize detection accuracy, rather than performance. I think avast has some options to scan entire files, regardless of size (if my memory serves me well). If you guys are testing malware, make sure you use a low privilege standalone vm.
really interesting video. Really really awesome.
If I want to investigate these type of malware do you recommend doing it in a safe environment like tailsOS or a VM in a VM?
im not the guy you are asking this to, but unless you are Marcus Hutchins, you should probably get a vm,(if you dont plan to run anything, then you could just use your pc, but for the love of god dont run a debugger). by the time you will get to something that its going to bypass your vm you will probably be expert enough to not make the mistake of opening it
Why did you use different online services before and after removing the middle space????
I did not know that most anti viruses don’t scan large files but now that I think about it, it makes sense
I get those promotional video emails constantly. I mark them spam.
I just had this happen to me! It took over 2 weeks for Google support to recover my account and CZcams channel. It corrupted my Google account then hijack my CZcams channel it changed the name and the imagine and started running a livestream about bitcoin, until CZcams deleted the channel altogether.. It took me over 2 weeks of emails and back-and-forth with Google support before I was able to recover my account and my CZcams channel.
You might have installed a cookie logger and stealer trojan commonly found on youtube description links.
Which reminds me... Ever since mods for the indie beat-em-up game Sifu came out, there's been a rash of scam channels taking advantage of people's gullibility by posting videos purporting to offer skin mods for the game, only for the link to be a scam site leading to what may be malware similar to this.
Would deleting the file, and doing a system restore to revert back be sufficient in ridding the threat? Im trying to avoid a clean wipe.
Edit: actually, i extracted the contents, saw an .exe but ever ran it though. There's no reason a company offer should supply an exe.
One thing that is not good is that some people don't enable that checkbox for showing file extensions and when they download such a file, they say "Oh ok this is a normal Word document, isn't it?" and they open it...
Good video, thanks for making it.
Where do you get pestudio from?